Membership information +44 113 241 0727
Medicolegal advice +44 113 243 6436

Confidentiality – General principles

4 Feb 2021

Confidentiality is at the centre of maintaining trust between patients and doctors. As a doctor, you have access to sensitive personal information about patients and you have a legal and ethical duty to keep this information confidential, unless the patient consents to the disclosure, disclosure is required by law or is necessary in the public interest.

This factsheet sets out the basic principles of confidentiality.

General principles

Data relating to an identifiable individual should be held securely. There is a range of official guidance on confidentiality that has been produced by various Medical Councils across the Caribbean region. The most extensive is referenced below.

The Medical Council of Jamaica’s Guide to Ethical Practice highlights that healthcare practitioners  must “respect a patient’s privacy, and maintain confidentiality and safety of his/her medical records”, while also making “appropriate referrals in a confidential manner, in order to provide the best care possible for the patient”.

The Bahamas Medical Council has detailed guidance on confidentiality in the Code of Professional Conduct, which can be summarised in the statement: “A physician shall respect a patient’s right to confidentiality. It is ethical to disclose confidential information when the patient consents to it or when there is a real and imminent threat of harm to the patient or to others and this threat can be only removed by a breach of confidentiality.”

The Guyana Medical Council’s Code of Conduct and Standards of Practice states: “Unless otherwise required by law or by the need to protect the welfare of the individual or the public interest, a medical practitioner shall not divulge confidential information in respect of a patient.”

The Bermuda Medical Council’s Standards of Practice for Medical Practitioners states: “Physicians must maintain patient confidentiality even after a patient’s death unless release is required by law or public interest considerations or with the consent of the patient.” They go on to highlight the importance of not disclosing information to anyone, including a patient’s family members, without their consent, particularly in a small community such as Bermuda. Any limits to confidentiality must be advised if mandatory reporting is required, such as with minors.

Disclosures of patient information

You should take care to avoid unintentional disclosure – for example, by ensuring that any consultations with patients cannot be overheard. Your duty of confidentiality relates to all information you hold about your patients, including demographic data, the dates and times of any appointments your patients may have made, and the fact that an individual may be a patient of yours or registered with your practice.

When disclosing information in any of the situations outlined below, you should ensure that the disclosure is proportional – anonymised if possible – and includes only the minimum information necessary for the purpose.

Consent to disclosure

Before disclosing any information about a patient to a third party, you should seek the patient’s consent to the disclosure. Consent may be implied or express; most patients understand that information about their health needs to be shared within the healthcare team providing care, and so implied consent is adequate in this circumstance.

Implied consent is also acceptable for the purposes of clinical audit within the healthcare team, as long as patients have been made aware of the possibility by notices in the waiting room, for example, and the patient has not objected to having their information used in this way. If the patient does object, their objection should be respected and their data should not be used for audit purposes.

Express consent is needed if patient-identifiable data is to be disclosed for any other purpose, except if the disclosure is required by law or is necessary in the public interest.

In order for consent to disclosure to be valid, the patient needs to be competent to give consent, and provided with full information about the extent of the disclosure. Adult patients are assumed to be competent, unless you have specific reason to doubt this. When taking consent for disclosure of information about a patient, you should ensure the patient is aware of what data will be disclosed, and to whom.

You must take care to avoid coercion, where a patient feels they cannot say “no” to a proposed treatment, or that they cannot challenge your assumption that they would have no objections. You should check that the patient has no apprehensions before proceeding, because “consent” that is not given freely is not valid.

Disclosures without consent

In some circumstances, you are obliged to disclose information to comply with the law or to prevent serious harm to the patient or others. In such cases, you should disclose the information – even if you do not have the patient’s consent. You must carefully consider the arguments for and against the disclosure and be able to justify your decision.

It would be sensible to seek advice from experienced colleagues, your medical defence organisation, a professional association or an ethics committee. For more information on disclosures without consent, see the Medical Protection factsheet Confidentiality – Disclosures without consent.

After a patient has died

Your duty of confidentiality to your patient remains after death. In some situations, such as a complaint arising after a patient’s death, you should discuss relevant information with the family, especially if the patient was a child. If you reasonably believe that the patient wished that specific information should remain confidential after their death, or if the patient has asked, you should usually respect that wish.

If you are unaware of any instructions from the patient, and are considering disclosing information, you should be sensitive to the patient’s surviving partner or relatives. You should take into account whether such a disclosure is likely to cause them distress or be of benefit; you should also consider whether the information will also release details of members of the patient’s family, or anyone else. Overall, you should consider the purpose of the disclosure and check whether the information can be anonymised or coded before disclosure.

The “personal representative” of the patient (usually an executor of the will, or an administrator if there is no will) can apply for access to the relevant part of a patient’s medical records (excepting harmful or third party information), as can someone who has a claim arising out of the patient’s death (eg for a life assurance claim), or a claim in negligence.

Further information